Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

gglib.exe problems (QLowZones-15) [RESOLVED]


  • This topic is locked This topic is locked

#1
DODDY123

DODDY123

    New Member

  • Member
  • Pip
  • 4 posts
I am a complete novice,so please be nice :tazz:

I keep getting a virus message saying that I have the virus QLowZone-15 and that gglib is infected. I try to delete this file but it will not let me. Please help.

Cheers
DODDY
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.
  • 0

#3
DODDY123

DODDY123

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi, O.K. I think I have done everything but as I said I am very new to this.
Here is the log:-

Logfile of HijackThis v1.99.1
Scan saved at 15:07:12, on 19/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 1280\Toolbox\mpm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CraigD\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-siemens.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.20.10:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPWS myPrintMileage Agent] C:\Program Files\Hewlett-Packard\HP Deskjet 1280\Toolbox\mpm.exe
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [key] C:\WINDOWS\System32\winxp.exe
O4 - HKCU\..\Run: [win_upd.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com
O15 - Trusted Zone: http://*.windupdates.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126785423867
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126785404539
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {7C405D1B-4007-11D3-8B8E-00104B3E656F} (SBCRecorderPlayer Control) - https://www.vodafone...order/SBCRP.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BPT-Skerman.local
O17 - HKLM\Software\..\Telephony: DomainName = BPT-Skerman.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BPT-Skerman.local
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You're doing well here. Our instructions should be straight forward and easy to follow, but if you have any questions, don't hesitate to ask here :tazz:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKCU\..\Run: [key] C:\WINDOWS\System32\winxp.exe
O4 - HKCU\..\Run: [win_upd.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O15 - Trusted Zone: http://*.windupdates.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


Locate and delete the following:

gglib.exe
C:\WINDOWS\System32\winxp.exe
C:\WINDOWS\System32\WINdirect.exe


Restart your computer. Post the logs for HijackThis and Ewido.
  • 0

#5
DODDY123

DODDY123

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi,
O.K. I think everything is done. The only thing that I could not do was locate and delete the three files :-

gglib.exe
C:\windowsSystem32\winxp.exe
C:\WINDOWS\System32\WINdirect.exe

Here are the logs.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 09:18:16, 20/09/2005
+ Report-Checksum: 8D02AF5B

+ Scan result:

C:\ntdetecd.exe -> Spyware.Hijacker.Generic : Ignored
HKLM\SOFTWARE\Classes\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Spyware.ISTBar : Cleaned with backup
C:\Documents and Settings\CraigD\Application Data\Macromedia\Flash Player\#SharedObjects\Ahead Nero 7.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Documents and Settings\CraigD\Application Data\Macromedia\Flash Player\#SharedObjects\Kaspersky Antivirus 5.0 -> Worm.Bagle.ah : Cleaned with backup
C:\Documents and Settings\CraigD\Application Data\Macromedia\Flash Player\#SharedObjects\KAV 5.0 -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\Ahead Nero 7.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\KAV 5.0 -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\Opera 8 New!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\[bleep] Screensaver.scr -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\Serials.txt.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\WinAmp 6 New!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Autodesk Shared\XXX hardcore images.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Adobe Photoshop 9 full.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Ahead Nero 7.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\KAV 5.0 -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Opera 8 New!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\[bleep] Screensaver.scr -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Serials.txt.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\WinAmp 6 New!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\XXX hardcore images.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\ACDSee 9.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Adobe Photoshop 9 full.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Ahead Nero 7.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\KAV 5.0 -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Opera 8 New!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\[bleep] Screensaver.scr -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Serials.txt.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\WinAmp 6 New!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.ah : Cleaned with backup
C:\Program Files\Common Files\WexTech Shared\XXX hardcore images.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\6464.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\6464s-64PE.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\64s-mss-ms.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\ime\shared\ACDSee 9.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Adobe Photoshop 9 full.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Ahead Nero 7.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Kaspersky Antivirus 5.0 -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\KAV 5.0 -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Matrix 3 Revolution English Subtitles.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Microsoft Office 2003 Crack, Working!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Microsoft Office XP working Crack, Keygen.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Opera 8 New!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\[bleep] pics arhive, xxx.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\[bleep] Screensaver.scr -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\[bleep], sex, oral, anal cool, awesome!!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Serials.txt.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\WinAmp 5 Pro Keygen Crack Update.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\WinAmp 6 New!.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Windown Longhorn Beta Leak.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\Windows Sourcecode update.doc.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\ime\shared\XXX hardcore images.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\msPEPE.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\ntms.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\or32sy32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\ornt64orms.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\PESP.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\s-hh.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\s-ornt.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SP32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SPnt6464.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SPnthh.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SPSP.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\syms.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\sys-sySPhh.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\32ororor.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\ect.exe -> Trojan.Baglet.a : Cleaned with backup
C:\WINDOWS\system32\gglib.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\hh32s-.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\hh64.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\hhnt.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\hhsys-sy.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\mssy64.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\ntms.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\orSP64.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\PESPhh.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\PEsy.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\PEsyntPE.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\SPms.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\SPnt.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\SPsys-.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\sys_xp.exe -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\system32\sys_xp.exeopen -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\system32\sys_xp.exeopenopen -> Worm.Bagle.ah : Cleaned with backup
C:\WINDOWS\system32\windll.exe -> Worm.Bagle.aq : Cleaned with backup
C:\WINDOWS\system32\windll.exeopen -> Worm.Bagle.aq : Cleaned with backup
C:\WINDOWS\system32\windll.exeopenopen -> Worm.Bagle.aq : Cleaned with backup
C:\WINDOWS\system32\winxp.exeopen -> Worm.Bagle.ai : Cleaned with backup
C:\WINDOWS\system32\winxp.exeopenopen -> Worm.Bagle.ai : Cleaned with backup
C:\WINDOWS\system32\_dll.exe -> Trojan.Glieder : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 09:26:09, on 20/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\CraigD\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-siemens.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.20.10:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPWS myPrintMileage Agent] C:\Program Files\Hewlett-Packard\HP Deskjet 1280\Toolbox\mpm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126785423867
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126785404539
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {7C405D1B-4007-11D3-8B8E-00104B3E656F} (SBCRecorderPlayer Control) - https://www.vodafone...order/SBCRP.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BPT-Skerman.local
O17 - HKLM\Software\..\Telephony: DomainName = BPT-Skerman.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BPT-Skerman.local
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, not sure what happened here. Did you post this in a new topic? I was just checking through my replies and saw that you replied to it (once I visited the link). If you created a new topic some Moderator must have merged them and I didn't get the notice about it in my list of subscriptions.

Do you still have the problem now? If so, please run through the scans again so I can get a more updated log. Post a reply back here and not in a new topic...otherwise we'll be going in circles.
  • 0

#7
DODDY123

DODDY123

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi I am sorted now Cheers. I found the site very ,very helpfull and will come back (Well I hope not actalyy :tazz: )
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP